ePolicy Orchestrator installation/patch upgrade checklist for known issues
Technical Articles ID:
KB71825
Last Modified: 6/17/2016
Rated:
Environment
McAfee ePolicy Orchestrator (ePO) 5.x
Summary
The following is a checklist for known issues with full product installations and patch upgrades for ePO.
Intel Security recommends that you perform these operations directly on the ePO server and not through a remote connection. If you must use a remote connection, ensure that you are connected using the console session (session 0).
General tasks:
Review the supported upgrade paths for ePO
See KB86693 for a list of supported upgrade paths.
Review the product or patch release notes for new features
Click here for a list of ePO release notes.
Review the product or patch known issues article
Review the article to understand both general known issues and known issues when upgrading. Click here for a list of ePO known issues articles.
Tasks to perform on the ePO server:
Back up your ePO server
For more information, see KB66616.
Ensure that the ePO server has enough hard disk space for the upgrade
- System temp drive - Requires 2 GB or more of free disk space
- ePO installation drive - May require up to three times the size of the McAfee\ePolicy Orchestrator folder or 20 GB, whichever is greater
NOTE: If the ePO server is installed on the same drive as the system temp folder and the ePO installation directory is 15 GB in size, the required available hard disk space in the C drive will be more than 45 GB to account for the system temp folder. In that scenario, you would need 15 GB X 3 GB + 2 GB = 47 GB of free space. In the same scenario, if the ePO installation directory is 2 GB in size, the minimum size requirement means that the drive must have 20 GB + 2 GB = 22 GB of free space.
(Optional) You can reduce the drive space requirement by purging log files and temp files from the ePO installation directory prior to upgrading
- Stop the ePO services.
- Press Windows+R, type services.msc, and click OK.
- Right-click the following services and select Stop:
McAfee ePolicy Orchestrator x.x.x Application Server
McAfee ePolicy Orchestrator x.x.x Server
McAfee ePolicy Orchestrator x.x.x Event Parser
- Delete the files in the following folders:
- <ePO_installation_directory>\Server\Temp
- <ePO_installation_directory>\Server\Logs
- <ePO_installation_directory>\DB\Logs
- <ePO_installation_directory>\Apache2\Logs
- Start the ePO services
- Press Windows+R, type services.msc, and click OK.
- Right-click the following services and select Start:
McAfee ePolicy Orchestrator x.x.x Application Server
McAfee ePolicy Orchestrator x.x.x Server
McAfee ePolicy Orchestrator x.x.x Event Parser
Ensure that the 8.3 naming convention is enabled
It is required that the 8.3 naming convention is enabled on the drive where ePO is going to be installed. For instructions to enable the 8.3 naming convention, see Solution 1 in KB51431.
Before you upgrade the McAfee Agent extension or before the next ASCI immediately after the extension upgrade, disable any tasks configured to install the McAfee Agent that are scheduled to Run Immediately
When you check in a new McAfee Agent extension on the ePO server, previously executed tasks that are configured to run immediately execute again at the next scheduled Agent-to-Server Communication Interval (ASCI). This can cause various products to be redeployed to clients if the deployment task was scheduled to run immediately. To prevent this issue, before you upgrade the McAfee Agent extension or before the next ASCI immediately after the extension upgrade, disable any tasks configured to install the McAfee Agent that are scheduled to Run Immediately. For more information, see KB74420.
Disable ePO server tasks and any Windows scheduled tasks that may be set to run on the ePO server
Disable any tasks that would interfere with the installation (such as purge events, pull tasks, and replication tasks). If you are using McAfee Drive Encryption, it is important to disable all LDAP Sync tasks before initiating the upgrade of the ePO server. Ensure that there are no LDAP Sync tasks running. If any are running, wait for them to complete. For more information see KB84690.
For information on editing tasks, see the product guide for your current version of ePO:
- PD25504 - ePolicy Orchestrator 5.3 Product Guide
- PD24808 - ePolicy Orchestrator 5.1 Product Guide
Disable Windows updates
Disable Windows updates to ensure they do not interfere with your ePO installation or upgrade. For more information, see http://windows.microsoft.com/en-US/windows-vista/Turn-automatic-updating-on-or-off.
Disable third-party software
Disable any software that automatically restarts services on your ePO server. This includes disabling monitoring software (such as Microsoft System Center Operations Manager) that might affect the ePO services starting and stopping for the duration of the installation or upgrade.
Disable any third-party security software that could potentially introduce permissions issues.
Ensure the id="orion.server.https" attribute is not missing from server.xml (Only required when upgrading from ePO 4.x to 5.x)
See KB78121 to determine whether the id="orion.server.https" attribute is missing from the server.xml file. The article contains instructions to add id="orion.server.https" to the list of attributes if it is missing.
Tasks to perform on the SQL server (may be the same as the ePO server if you chose to install SQL Express bundled with ePO):
Ensure correct account permissions
The account used to access the SQL server must have the following permissions:
Default database must be master:
- Click Start, Programs, Microsoft SQL Server, SQL Server Management Studio.
- Expand Security, Logins.
- Right-click the account and select Properties.
- Ensure the default database is set to master.
- Expand User Mapping and ensure that the account has dbo in the schema for the database.
This account must be the db_owner in the database security properties:
-
Click Start, Programs, Microsoft SQL Server, SQL Server Management Studio.
-
Expand Databases, your ePO database, Security, Users.
-
Right-click the dbo account and select Properties.
-
Ensure that the account has dbo in the Default schema for the database.
If you use an NT account to authenticate to the ePO database, ensure that the account has Local Admin rights on the ePO server.
See KB75766 for detailed information on the required SQL permissions.
Verify the SQL instance that ePO is using
Perform either of the following to verify the SQL instance that ePO is using:
- Check the SQL server service name: (SQL Server (SQLEXPRESS)) or (SQL Server (EPOSERVER)).
- Run the following query in SQL Server Management Studio:
select @@servername
go
Ensure Auto Close is set to False for the ePO database
-
Click Start, Programs, Microsoft SQL Server, SQL Server Management Studio.
-
Right-click the ePO database and select Properties.
-
Click Options and ensure Auto Close is set to False. If it is not, click Auto Close, select False, and click OK.
Ensure Arithmetic Abort Enabled is set to True for the ePO database
- Click Start, Programs, Microsoft SQL Server, SQL Server Management Studio.
- Right-click the ePO database and select Properties.
- Click Options and ensure Arithmetic Abort Enabled is set to True. If it is not, click Arithmetic Abort Enabled, select True, and click OK.
Ensure the Compatibility level is set to 100 or higher for the ePO database
- Click Start, Programs, Microsoft SQL Server, SQL Server Management Studio.
- Right-click the ePO database and select Properties.
- Click Options and ensure Compatibility level is set to 100 rather than 80 or 90. If it is not, select 100 from the Compatibility level drop-down list and click OK.
Verify the correct DB collation is set on the SQL server
ePO uses SQL_Latin1_General_CP1_CI_AS as the default collation for the database when an upgrade or fresh installation of ePO is performed.
To verify collation in the SQL server:
- Click Start, Programs, Microsoft SQL Server, SQL Server Management Studio.
- Log on to the server using Windows Authentication or SQL Server Authentication, as applicable.
- In Object Explorer, expand Databases, and locate the ePO database.
- Right-click the ePO database and select Properties.
- Review the Collation field in the General page.
See KB73717 for detailed information on supported collation types for ePO.
Ensure the SQL browser service is running
-
Press Windows+R, type services.msc, and click OK.
-
Locate the SQL Server Browser service and ensure that it is started and running.
-
If it is not, right-click the SQL Server Browser service and select Start.
To avoid the issue documented in KB76645 if you are using Microsoft SQL 2008 R2 or earlier, ensure that Microsoft KB 2653857 is applied on the SQL server. If that is not possible, disable SQL Force Encryption before upgrading if it is enabled:
- Click Start, All Programs, Configuration Tools, SQL Server Configuration Manager.
- Right-click Protocols for <instance_name> (MSSQLSERVER by default) under SQL Server Network Configuration and click Properties.
- Click the drop-down list for Force Encryption and select No.
- Click OK.
Final Considerations:
In a pure IPv6 environment, ensure that only IPv6 is enabled on the SQL server that hosts the ePO database.
Review documentation correction article KB83298 regarding stopping ePO services on remote Agent Handlers instead of disabling them in the Handler List page.
Ensure that the ePO admin and SQL account usernames and passwords meet the criteria described in KB66286.
Perform a preventative measure to avoid Tomcat failing to stop
Perform this step only when you are ready to start the installation.
- Press Windows+R, type services.msc, and click OK.
- Stop the ePolicy Orchestrator Server Service and ePolicy Orchestrator Event Parser Service.
- Restart the ePolicy Orchestrator Application Server Service.
- Right-click the installer setup.exe and run it as an administrator.
|
